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DETAILED ACTION 
Information Disclosure Statement 

1 . The information disclosure statement (IDS) submitted on 10/12/2004 has been 
received, entered into the record, and considered. The submission is in compliance 
with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is 
being considered by the examiner. 

Specification 

2. The disclosure is objected to because of the following informalities: In paragraph 
26 of the specification, the phrase "previously discussed, the logged information 
associated an alert or flagged" is incoherent. The examiner suggests that applicant 
amend the specification to change the aforementioned phrase to "previously discussed, 
the logged information associated with an alert or flagged" 

Appropriate correction is required. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 
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4. Claim 1 is rejected under 35 U.S.C. 102(e) as being anticipated by Mclchionc 
(U.S. Patent 6.973.578). 

5. Regarding claim 1 , Mclchionc teaches a method comprising: 

A) flagging a program in response to at least one of: opening a local file on a local file 
system to perform a read operation and opening a shared file on a shared or network 
file system to perform a write or append operation with the local file (Column 3, lines 56- 
67-Column4, lines 1-9); 

B) the program reading or opening itself and the program attempting to write or append 
any content to the shared file on the shared or network file system or to write or append 
any content to the local file on the local file system (Column 3, lines 56-67-Column 4, 
lines 1-9); 

C) the program attempting to write or append the local file to the shared or network file 
system and preserve a filename of the local file in the shared or network file system 
(Column 3, lines 56-67-Column 4. lines 1-9); and 

D) the program attempting to write or append a remote file to the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "flagging a program in response 
to at least one of: opening a local file on a local file system to perform a read 
operation and opening a shared file on a shared or network file system to perform 
a write or append operation with the local file" as "an indication is first received that 
a file is being accessed by a process... such accessing may include opening the files, 
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reading the files, executing the files, indexing the files, organizing the files, editing the 
files, moving the files, or any other function that involves the files" (Column 3. lines 58- 
67-Column 4, lines 1 -9). The examiner further notes that Mclchionc teaches "the 
program reading or opening itself and the program attempting to write or append 
any content to the shared file on the shared or network file system or to write or 
append any content to the local file on the local file system" as 'an indication is first 
received that a file is being accessed by a process... such accessing may include 
opening the files, reading the files, executing the files, indexing the files, organizing the 
files, editing the files, moving the files, or any other function that involves the files" 
(Column 3, lines 58-67-Column 4, lines 1-9). The examiner further notes that 
Mclchionc teaches "the program attempting to write or append the local file to the 
shared or network file system and preserve a filename of the local file in the 
shared or network file system" as "an indication is first received that a file is being 
accessed by a process... such accessing may include opening the files, reading the 
files, executing the files, indexing the files, organizing the files, editing the files, moving 
the files, or any other function that involves the files" (Column 3, lines 58-67-Column 
4, lines 1-9). The examiner further notes that Mclchionc teaches "the program 
attempting to write or append a remote file to the local file system" as "an 
Indication is first received that a file is being accessed by a process... such accessing 
may include opening the files, reading the files, executing the files, indexing the files, 
organizing the files, editing the files, moving the files, or any other function that involves 
the files" (Column 3, lines 58-67-Column 4, lines 1-9). 
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Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1.56 to point out the inventor and invention dates of eacti claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (0 or (g) 
prior art under 35 U.S.C. 103(a). 

7. Claims 2, 6, 8-9, 13-16, 21. 23-25, 28, 30, 32-34, 38, and 40-43 are rejected 
under 35 U.S.C. 103(a) as being unpatentable over Mclchionc (U.S. Patent 6,973,578) 
as applied to claim 1 and in view of Norton (Article entitled "Norton Antivirus Corporate 
Edition User's Guide, dated 09/11/2001). 

8. Regarding claim 2, Mclchionc does not explicitly teach a method comprising: 
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A) inhibiting a write or append operation associated with program in response to 
flagging the program. 

Norton, however, teaches "inhibiting a write or append operation associated 
with program in response to flagging the program" as "By default, when a virus is 
detected by either Realtime Protection or during a scan, Norton Antivirus attempts to 
clean the virus from the infected file" (Page 13, Section: "What to do if a virus is 
detected"). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 6, IVIclchionc does not explicitly teach a method comprising: 
A) storing a filename and a location where the local or shared file is copied or written in 
response to the local or shared file being copied or written by the program. 

Norton, however, teaches "storing a filename and a location where the local 
or shared file is copied or written in response to the local or shared file being 
copied or written by the program" as "Depending on your anti-virus policy, you can 
change these settings to delete on detection or leave alone (log only)" (Page 13, 
Section: "What to do if a virus is detected") and "If viruses are detected during the scan, 
the dialog box includes the name of the infected file, the name of the virus, and the 
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action taken. An alert is also generated, by default, whenever a virus is detected" (Page 
32, Section: Interpreting scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remoye them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 8, Mclchionc does not explicitly teach a method comprising: 
A) logging any file system operations including recording a filename and a location 
where the local or shared file is written. 

Norton, however, teaches "logging any file system operations including 
recording a filename and a location where the local or shared file is written" as 
"Depending on your anti-virus policy, you can change these settings to delete on 
detection or leave alone (log only)" (Page 1 3, Section: "What to do if a virus is 
detected") and "If viruses are detected during the scan, the dialog box includes the 
name of the infected file, the name of the virus, and the action taken. An alert is also 
generated, by default, whenever a virus is detected" (Page 32, Section: Interpreting 
scan results"). 
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The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 9, Mclchionc teaches a method comprising: 

A) monitoring predetermined file system operations associated with a program (Column 
3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches ''monitoring predetermined file 
system operations associated with a program" as "an indication is first received that 
a file is being accessed by a process... such accessing may include opening the files, 
reading the files, executing the files, indexing the files, organizing the files, editing the 
files, moving the files, or any other function that involves the files" (Column 3, lines 58- 
67-Column 4,lines 1-9). 

Mclchionc does not explicitly teach: 

B) logging any predetermined file system operations associated with the program 
including recording a filename and a location where a file is written. 

Norton, however, teaches "logging any predetermined file system 
operations associated with the program including recording a filename and a 
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location where a file is written" as "Depending on your anti-virus policy, you can 
change these settings to delete on detection or leave alone (log only)" (Page 13. 
Section: "What to do if a virus is detected") and "If viruses are detected during the scan, 
the dialog box includes the name of the infected file, the name of the virus, and the 
action taken. An alert is also generated, by default, whenever a virus is detected" (Page 
32, Section: Interpreting scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 13, Mclchionc does not explicitly teach a method comprising: 
A) following a predefined procedure in response to a level of security set. 

Norton, however, teaches "following a predefined procedure in response to 
a level of security set" as "If you regularly scan the same set of files or folders you can 
create a Custom Scan restricted to just those items. At any time, you can quickly verify 
that the specified files and folders are virus-free"" (Page 32, Section: Configuring 
Custom Scans"). 
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It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 14, Mclchionic further teaches a method comprising: 
A) flagging the program in response to the program attempting to perform one of the 
predetermined file system operations (Column 3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "flagging the program in 
response to the program attempting to perform one of the predetermined file 
system operations" as "an indication is first received that a file is being accessed by a 
process... such accessing may include opening the files, reading the files, executing the 
files, indexing the files, organizing the files, editing the files, moving the files, or any 
other function that involves the files" (Column 3, lines 58-67-Column 4, lines 1-9). 

Regarding claim 15, Mclchionc further teaches a method comprising: 
A) flagging the program in response to at least one of: the program opening a local file 
on a local file system to perform a read operation and opening a shared file on a shared 
or network file system to perform a write or append operation with the local file (Column 
3, lines 56-67-Column 4, lines 1-9); 
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B) the program reading or opening itself and the program attempting to write or append 
any content to the shared file on the shared or network file system or to write or append 
any content to the local file on the local file system (Column 3, lines 56-67-Column 4, 

lines 1-9); 

C) the program attempting to write or append the local file to the shared or network file 
system and preserve a filename of the local file in the shared or network file system 
(Column 3, lines 56-67-Column 4, lines 1-9); and 

D) the program attempting to write or append a remote file to the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "flagging the program in 
response to at least one of: the program opening a local file on a local file 
system to perform a read operation and opening a shared file on a shared or 
network file system to perform a write or append operation with the local file" as 
"an indication is first received that a file is being accessed by a process... such 
accessing may include opening the files, reading the files, executing the files, indexing 
the files, organizing the files, editing the files, moving the files, or any other function that 
involves the files" (Column 3. lines 58-67-Column 4, lines 1-9). The examiner further 
notes that Mclchionc teaches "the program reading or opening itself and the 
program attempting to write or append any content to the shared file on the 
shared or network file system or to write or append any content to the local file 
on the local file system" as "an indication is first received that a file is being accessed 
by a process... such accessing may include opening the files, reading the files, 
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executing the files, indexing the files, organizing the files, editing the files, moving the 
files, or any other function that involves the files" (Column 3, lines 58-67-Column 4,lines 
1-9). The examiner further notes that Mclchionc teaches "the program attempting to 
write or append the local file to the shared or network file system and preserve a 
filename of the local file in the shared or network file system" as "an indication is 
first received that a file is being accessed by a process... such accessing may include 
opening the files, reading the files, executing the files, indexing the files, organizing the 
files, editing the files, moving the files, or any other function that involves the files" 
(Column 3, lines 58-67-Column 4, lines 1-9). The examiner further notes that 
Mclchionc teaches "the program attempting to write or append a remote file to the 
local file system" as "an indication is first received that a file is being accessed by a 
process... such accessing nnay include opening the files, reading the files, executing the 
files, indexing the files, organizing the files, editing the files, moving the files, or any 
other function that involves the files" (Column 3, lines 58-67-Column 4,rmes 1-9). 

Regarding claim 16, Mclchionc does not explicitly teach a method comprising: 
A) inhibiting any predetermined file system operations associated with the program in 
response to the program being flagged. 

Norton, however, teaches 'Inhibiting any predetermined file system 
operations associated with the program in response to the program being 
flagged" as "By default, when a virus is detected by either Realtime Protection or 
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during a scan, Norton Antivirus attempts to clean the virus from the infected file" (Page 
13, Section: "What to do if a virus is detected"). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 21, Mclchionc teaches a system comprising: 

A) a file system protection program including: means to monitor predetermined file 
system operations associated with another program (Column 3, lines 56-67-Column 4, 
lines 1-9), 

The examiner notes that Mclchionc teaches "a file system protection 
program including: means to monitor predetermined file system operations 
associated with another program" as "an indication is first received that a file is being 
accessed by a process... such accessing may include opening the files, reading the 

■ 

files, executing the files, indexing the files, organizing the files, editing the files, moving 
the files, or any other function that involves the files" (Column 3, lines 58-67-Column 
4, lines 1-9). 

Mclchionc does not explicitly teach: 

B) means to log any predetermined file system operations associated with the other 
program including recording a filename and a location where a file is written. 
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Norton, however, teaches "means to log any predetermined file system 
operations associated with the other program including recording a filename and 
a location where a file is written" as "Depending on your anti-virus policy, you can 
change these settings to delete on detection or leave alone (log only)" (Page 13, 
Section: "What to do if a virus is detected") and "If viruses are detected during the scan, 
the dialog box includes the name of the infected file, the name of the virus, and the 
action taken. An alert is also generated, by default, whenever a virus is detected" (Page 
32, Section: Interpreting scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 

■ 

Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 23, Mclchionc does not explicitly teach a system comprising: 
A) a log to record any predetermined file system operations. 

Norton, however, teaches "a log to record any predetermined file system 
operations" as "Depending on your anti-virus policy, you can change these settings to 
delete on detection or leave alone (log only)" (Page 13, Section: "What to do if a virus is 
detected") and "If viruses are detected during the scan, the dialog box includes the 
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name of the infected file, the name of the virus, and the action taken. An alert is also 
generated, by default, whenever a virus is detected" (Page 32, Section: Interpreting 

scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 24, Mclchionc further teaches a system comprising: 

A) means to flag the other program in response to at least one of: the other program 
opening a local file on a local file system to perform a read operation and opening a 
shared file on a shared or network file system to perform a write or append operation 
with the local file (Column 3, lines 56-67-Column 4, lines 1-9); 

B) the other program reading or opening itself and the other program attempting to 
write or append itself or any content to the shared file on the shared or network file 
system or to write or append itself or any content to the local file on the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9); 
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C) the other program attempting to write or append the local file to the shared or 
network file system and preserve a filename of the local file in the shared or network file 
system (Column 3, lines 56-67-Column 4, lines 1-9); and 

D) the other program attempting to write or append a remote file to the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9). 

» 

The examiner notes that Mclchionc teaches "means to flag the other program 
in response to at least one of: the other program opening a local file on a local file 
system to perform a read operation and opening a shared file on a shared or 
network file system to perform a write or append operation with the local file" as 

"an indication is first received that a file is being accessed by a process... such 
accessing may include opening the files, reading the files, executing the files, indexing 
the files, organizing the files, editing the files, moving the files, or any other function that 
involves the files" (Column 3, lines 58-67-Column 4,lines 1-9). The examiner further 
notes that Mclchionc teaches "the other program reading or opening itself and the 
other program attempting to write or append itself or any content to the shared 
file on the shared or network file system or to write or append itself or any 
content to the local file on the local file system" as "an indication is first received 
that a file is being accessed by a process... such accessing may include opening the 
files, reading the files, executing the files, indexing the files, organizing the files, editing 
the files, moving the files, or any other function that involves the files" (Column 3, lines 
58-67-Column 4, lines 1-9). The examiner further notes that Mclchionc teaches "the 
other program attempting to write or append the local file to the shared or 
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network file system and preserve a filename of the local file in the shared or 
network file system" as "an indication is first received that a file is being accessed by 
a process... such accessing may include opening the files, reading the files, executing 
the files, indexing the files, organizing the files, editing the files, moving the files, or any 
other function that involves the files" (Column 3, lines 58-67-Column 4, lines 1-9). The 
examiner further notes that Mclchionc teaches "the other program attempting to 
write or append a remote file to the local file system" as "an indication is first 
received that a file is being accessed by a process... such accessing may include 
opening the files, reading the files, executing the files, indexing the files, organizing the 
files, editing the files, moving the files, or any other function that involves the files" 
(Column 3, lines 58-67-Column 4, lines 1-9). 

Regarding claim 25, Mclchionic further teaches a system comprising: 
A) means to flag the other program in response to the other program attempting to 
perform one of the predetermined file system operations (Column 3, lines 56-67-Column 
4. lines 1-9). 

The examiner notes that Mclchionc teaches "means to flag the other program 
in response to the other program attempting to perform one of the predetermined 
file system operations" as "an indication is first received that a file is being accessed 
by a process.,. such accessing may include opening the files, reading the files, 
executing the files, indexing the files, organizing the files, editing the files, moving the 
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files, or any other function that involves the files" (Column 3, lines 58-67-Column 4Jines 
1-9). 

Regarding claim 28, Mclchionc does not explicitly teach a system comprising: 
A) to inhibit predetermined file system operations associated with the other program in 
response to the program other being flagged. 

Norton, however, teaches "to inhibit predetermined file system operations 
associated with the other program in response to the program other being 
flagged" as "By default, when a virus is detected by either Realtime Protection or 
during a scan, Norton Antivirus attempts to clean the virus from the infected file" (Page 
1 3, Section: "What to do if a virus is detected"). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 30, Mclchionc teaches a method comprising: 
A) providing a file system protection program including: providing means to monitor 
predetermined file system operations associated with another program (Column 3. lines 
56-67-Column 4, lines 1-9). 
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The examiner notes that Mclchionc teaches "providing a file system 
protection program including: providing means to monitor predetermined file 
system operations associated with another program" as "an indication is first 
received that a file is being accessed by a process.., such accessing may include 
opening the files, reading the files, executing the files, indexing the files, organizing the 
files, editing the files, moving the files, or any other function that involves the files" 
(Column 3, lines 58-67-Column 4, lines 1-9). 

Mclchionc does not explicitly teach: 
B) providing means to log any predetermined file system operations associated with the 
other program including recording a filename and a location where a file is written. 

Norton, however, teaches "providing means to log any predetermined file 
system operations associated with the other program including recording a 
filename and a location where a file is written" as "Depending on your anti-virus 
policy, you can change these settings to delete on detection or leave alone (log only)" 
(Page 13, Section: "What to do if a virus is detected") and "If viruses are detected 
during the scan, the dialog box includes the name of the infected file, the name of the 
virus, and the action taken. An alert is also generated, by default, whenever a virus is 
detected" (Page 32, Section: Interpreting scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
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Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 32, Mclchionc does not explicitly teach a method comprising: 
A) forming a log to record any predetermined file system operations. 

Norton, however, teaches "forming a log to record any predetermined file 
system operations" as "Depending on your anti-virus policy, you can change these 
settings to delete on detection or leave alone (log only)" (Page 13, Section: "What to do 
if a virus is detected") and "If viruses are detected during the scan, the dialog box 
includes the name of the infected file, the name of the virus, and the action taken. An 
alert is also generated, by default, whenever a virus is detected" (Page 32, Section: 
Interpreting scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 33, Mclchionc further teaches a method comprising: 
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A) providing means to flag the other program in response to at least one of: the other 
program opening a local file on a local file system to perform a read operation and 
opening a shared file on a shared or network file system to perform a write or append 
operation with the local file (Column 3, lines 56-67-Column 4, lines 1-9); 

B) the other program reading or opening itself and the other program attempting to 
write or append itself or any content to the shared file on the shared or network file 
system or to write or append itself or any content to the local file on the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9); 

C) the other program attempting to write or append the local file to the shared or 
network file system and preserve a filename of the local file in the shared or network file 
system (Column 3, lines 56-67-Column 4, lines 1-9); and 

D) the other program attempting to write or append a remote file to the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "providing means to flag the 
other program in response to at least one of: the other program opening a local 
file on a local file system to perform a read operation and opening a shared file on 
a shared or network file system to perform a write or append operation with the 
local file" as "an indication is first received that a file is being accessed by a 
process... such accessing may include opening the files, reading the files, executing the 
files, indexing the files, organizing the files, editing the files, moving the files, or any 
other function that involves the files" (Column 3, lines 58-67-Column 4,lines 1-9). The 
examiner further notes that Mclchionc teaches "the other program reading or 
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opening itself and the other program attempting to write or append itself or any 
content to the shared file on the shared or network file system or to write or 
append itself or any content to the local file on the local file system" as "an 

indication is first received that a file is being accessed by a process... such accessing 
may include opening the files, reading the files, executing the files, indexing the files, 
organizing the files, editing the files, moving the files, or any other function that involves 
the files" (Column 3, lines 58-67-Column 4,lines 1-9). The examiner further notes that 
Mclchionc teaches "the other program attempting to write or append the local file 
to the shared or network file system and preserve a filename of the local file in 
the shared or network file system" as "an indication is first received that a file is being 
accessed by a process... such accessing may include opening the files, reading the 
files, executing the files, indexing the files, organizing the files, editing the files, moving 
the files, or any other function that involves the files" (Column 3, lines 58-67-Column 
4,lines 1-9). The examiner further notes that Mclchionc teaches "the other program 
attempting to write or append a remote file to the local file system" as "an 
indication is first received that a file Is being accessed by a process... such accessing 
may include opening the files, reading the files, executing the files, indexing the files, 
organizing the files, editing the files, moving the files, or any other function that involves 
the files" (Column 3, lines 58-67-Column 4,lines 1-9). 

Regarding claim 34. Mclchionic further teaches a method comprising: 
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A) providing means to flag the other program in response to the other program 
attempting to perform one of the predetermined file system operations (Column 3, lines 
56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "providing means to flag the 
other program in response to the other program attempting to perform one of the 
predetermined file system operations" as "an indication is first received that a file is 
being accessed by a process... such accessing may include opening the files, reading 
the files, executing the files, indexing the files, organizing the files, editing the files, 
moving the files, or any other function that involves the files" (Column 3. lines 58-67- 
Column 4, lines 1-9). 

Regarding claim 38, Mclchionc teaches a computer-readable medium 
comprising: 

A) monitoring predetermined file system operations associated with a program (Column 
3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "monitoring predetermined file 
system operations associated with a program" as "an indication is first received that 
a file is being accessed by a process... such accessing may include opening the files, 
reading the files, executing the files, indexing the files, organizing the files, editing the 
files, moving the files, or any other function that involves the files" (Column 3, lines 58- 
67-Column 4,rines 1-9). 

Mclchionc does not explicitly teach: 
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B) logging any predetermined file system operations associated with the program 
including recording a filename and a location where a file is written. 

Norton, however, teaches "logging any predetermined file system 
operations associated with the program including recording a filename and a 
location where a file is written" as "Depending on your anti-virus policy, you can 
change these settings to delete on detection or leave alone (log only)" (Page 13, 
Section: "What to do if a virus is detected") and "If viruses are detected during the scan, 
the dialog box includes the name of the infected file, the name of the virus, and the 
action taken. An alert is also generated, by default, whenever a virus is detected" (Page 
32, Section: Interpreting scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 13, Mclchionc does not explicitly teach a computer-readable 
medium comprising: 

A) following a predefined procedure in response to a level of security set. 



Application/Control Number: 10/710,477 Page 25 

Art Unit: 2168 

Norton, however, teaches "following a predefined procedure in response to 
a level of security set" as "If you regularly scan the same set of files or folders you can 
create a Custom Scan restricted to just those items. At any time, you can quickly verify 
that the specified files and folders are virus-free"" (Page 32, Section: Configuring 
Custom Scans"). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Regarding claim 41, Mclchionic further teaches a computer-readable medium 
comprising: 

A) flagging the program in response to the program attempting to perform one of the 
predetermined file system operations (Column 3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "flagging the program in 
response to the program attempting to perform one of the predetermined file 
system operations" as "an indication is first received that a file is being accessed by a 
process... such accessing may include opening the files, reading the files, executing the 
files, indexing the files, organizing the files, editing the files, moving the files, or any 
other function that involves the files" (Column 3, lines 58-67-Column 4, lines 1-9). 
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Regarding claim 42, Mclchionc further teaches a computer-readable medium 
comprising: 

A) flagging the program in response to at least.one of: the program opening a local file 
on a local file system to perform a read operation and opening a shared file on a shared 
or network file system to perform a write or append operation with the local file (Column 
3, lines 56-67-Column 4, lines 1-9); 

B) the program reading or opening itself and the program attempting to write or append 
itself or any content to the shared file on the shared or network file system or to write or 
append itself or any content to the local file on the local file system (Column 3, lines 56- 
67-Column 4, lines 1-9); 

C) the program attempting to write or append the local file to the shared or network file 
system and preserve a filename of the local file in the shared or network file system 
(Column 3, lines 56-67-Column 4, lines 1-9); and 

D) the program attempting to write or append a remote file to the local file system 
(Column 3, lines 56-67-Column 4, lines 1-9). 

The examiner notes that Mclchionc teaches "flagging the program in 
response to at least one of: the program opening a local file on a local file system 
to perform a read operation and opening a shared file on a shared or network file 
system to perform a write or append operation with the local file" as "an indication 
is first received that a file is being accessed by a process... such accessing may include 
opening the files, reading the files, executing the files, indexing the files, organizing the 
files, editing the files, moving the files, or any other function that involves the files" 
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(Column 3, lines 58-67-Column 4,lines 1-9). The examiner further notes that 
Mclchionc teaches "the program reading or opening itself and the program 
attempting to write or append itself or any content to the shared file on the shared 
or network file system or to write or append itself or any content to the local file 
on the local file system" as "an indication is first received that a file is being accessed 
by a process... such accessing may include opening the files, reading the files, 
executing the files, indexing the files, organizing the files, editing the files, moving the 
files, or any other function that involves the files" (Column 3, lines 58-67-Column 4, lines 
1-9). The examiner further notes that Mclchionc teaches "the program attempting to 
write or append the local file to the shared or network file system and preserve a 
filename of the local file in the shared or network file system" as "an indication is 
first received that a file is being accessed by a process... such accessing may include 
opening the files, reading the files, executing the files, indexing the files, organizing the 
files, editing the files, moving the files, or any other function that involves the files" 
(Column 3, lines 58-67-Column 4,lines 1-9). The examiner further notes that 
Mclchionc teaches "the program attempting to write or append a remote file to the 
local file system" as "an indication is first received that a file is being accessed by a 
process... such accessing may include opening the files, reading the files, executing the 
files, indexing the files, organizing the files, editing the files, moving the files, or any 
other function that involves the files" (Column 3. lines 58-67-Column 4,lines 1-9). 
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Regarding claim 43, Mcichionc does not explicitly teach a computer-readable 
medium comprising: 

4 

A) inhibiting any predetermined file system operations associated with the program in 
response to the program being flagged. 

Norton, however, teaches 'Inhibiting any predetermined file system 
operations associated with the program in response to the program being 
flagged" as "By default, when a virus is detected by either Realtime Protection or 
during a scan, Norton Antivirus attempts to clean the virus from the infected file" (Page 
13, Section: "What to do if a virus is detected"). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

9. Claims 3-5 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mcichionc (U.S. Patent 6,973,578) as applied to claim 1 and in view of Satterlee et al. 

(U.S. PGPUB 2004/0025015). 

10. Regarding claim 3, Mcichionc does not explicitly teach a method comprising: 
A) monitoring all file operations associated with the program in response to the 
program not being in a safe list. 
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Satterlee, however, teaches "monitoring all file operations associated with 
the program in response to the program not being in a safe list" as "the present 
invention comprises a method for determining whether a program is approved to 
execute by comparing it to a predetermined list of approved programs... If the new 
program is not validated, the program can continue to load and execute, but other 
security modules are responsible for detecting, monitoring, and responding to 
suspicious activities" (Paragraph 13). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's to provide a method to allow for security 
systems to enable early detection of threats to a computing device or network before an 
harm can be done by quickly and efficiently examining code in real time, as noted by 
Satterlee (Paragraph 11). 

Regarding claim 4, Mclchionc does not explicitly teach a method comprising: 
A) permitting selected read and write operations in response to a predefined rules 
table. 

Satterlee, however, teaches "permitting selected read and write operations 
in response to a predefined rules table" as "the present invention comprises a 
method for determining whether a program is approved to execute by comparing it to a 
predetermined list of approved programs... If the new program is not validated, the 
program can continue to load and execute, but other security modules are responsible 
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for detecting, monitoring, and responding to suspicious activities" (Paragraph 13) and 
"predetermined responses to particular threats and decision rules as to when the user 
should be queried about a security threat" (Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's to provide a method to allow for security 
systems to enable early detection of threats to a computing device or network before an 
harm can be done by quickly and efficiently examining code in real time, as noted by 
Satterlee (Paragraph 11). 

Regarding claim 5, Mclchionc does not explicitly teach a method comprising: 
A) sending an alert in response to flagging the program. 

Satterlee, however, teaches "sending an alert in response to flagging the 
program" as "the behavior monitors 128 can take direct action to address a security 
threat or instruct the protector application 1 15 to query the user for instructions on how 
to handle the threat" (Paragraph 35) and "predetermined responses to particular threats 
and decision rules as to when the user should be queried about a security threat" 
(Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's to provide a method to allow for security 
systems to enable early detection of threats to a computing device or network before an 
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harm can be done by quickly and efficiently examining code in real time, as noted by 
Satterlee (Paragraph 11). 

11. Claim 7 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mclchionc (U.S. Patent 6,973,578) as applied to claim 1 and in view of Wolff et al. 
(U.S. PGPUB 2002/0174358). 

12. Regarding claim 7, Mclchionc does not explicitly teach a method comprising: 
A) sending an alert to a network monitoring system in response to flagging the 
program. 

Wolff, however, teaches "sending an alert to a network monitoring system in 
response to flagging the program" as "An event report, such as a virus detection 
event, is sent from a reporting computer 2 to a receiving computer 6 via an internet link 
4" (Abstract)! 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
WolfTs would have allowed Mclchionc's to provide a method to allow major antivirus 
software providers to accurately determine what viruses are common and attacking how 
many users in order to direct resources to combat these viruses, as noted by Wolff 
(Paragraph 4). 
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13. Claims 10-12, 17, 19-20, 22, 26, 29, 31, 35, 37, 39, and 44 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Mclchionc (U.S. Patent 6,973,578) as 
applied to claim 1 and in view of Norton (Article entitled "Norton Antivirus Corporate 
Edition User's Guide, dated 09/11/2001) as applied to claims 2, 6, 8-9, 13-16, 21, 23-25, 
28, 30, 32-34, 38, and 40-43 and further in view of Satterlee et al. (U.S. PGPUB 
2004/0025015). 

14. Regarding claim 10, Mclchionc and Norton do not explicitly teach a. method 
comprising: 

A) selecting the program for monitoring in response to the program not being on a safe 
list. 

Satterlee, however, teaches "selecting the program for monitoring in 
response to the program not being on a safe list" as "the present invention 
comprises a method for determining whether a program is approved to execute by 
comparing it to a predetermined list of approved programs... If the new program is not 
validated, the program can continue to load and execute, but other security modules are 
responsible for detecting, monitoring, and responding to suspicious activities" 
(Paragraph 13). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
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network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 11, Mclchionc does not explicitly teach a method comprising: 

A) logging any file system operations. 

Norton, however, teaches "logging any file system operations" as 
"Depending on your anti-virus policy, you can change these settings to delete on 
detection or leave alone (log only)" (Page 13, Section: "What to do if a virus is 
detected") and "If viruses are detected during the scan, the dialog box includes the 
name of the infected file, the name of the virus, and the action taken. An alert is also 
generated, by default, whenever a virus is detected" (Page 32, Section: Interpreting 
scan results"). 

The examiner notes that the dialog box on page 32 contains the location of the 
infected file as a path. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Norton's would have allowed Mclchionc's to provide a method to quickly detect 
viruses in order to remove them from a computer so that the virus cannot spread to 
other files and cause damage, as noted by Norton (Page 8). 

Mclchionc and Norton do not explicitly teach: 

B) associated with any programs on the safe list 
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Satterlee, however, teaches "associated with any programs on the safe list" 
as "the present invention comprises a method for determining whether a program is 
approved to execute by comparing it to a predetermined list of approved programs... If 
the new program is not validated, the program can continue to load and execute, but 
other security modules are responsible for detecting, monitoring, and responding to 
suspicious activities" (Paragraph 13). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 12, Mclchionc and Norton do not explicitly teach a method 
comprising: 

A) receiving a notification that the program intends to perform one of the predetermined 
file system operations. 

Satterlee, however, teaches "receiving a notification that the program 
intends to perform one of the predetermined file system operations" as "the 
behavior monitors 128 can take direct action to address a security threat or instruct the 
protector application 1 1 5 to query the user for instructions on how to handle the threat" 
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(Paragraph 35) and "predetermined responses to particular threats and decision rules 
as to when the user should be queried about a security threat" (Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 17, Mclchionc and Norton do not explicitly teach a method 
comprising: 

A) sending an alert in response to the program attempting to perform any 
predetermined file system operations. 

Satterlee, however, teaches "sending an alert In response to the program 
attempting to perform any predetermined file system operations" as "the behavior 
monitors 128 can take direct action to address a security threat or instruct the protector 
application 1 15 to query the user for instructions on how to handle the threat" 
(Paragraph 35) and "predetermined responses to particular threats and decision rules 
as to when the user should be queried about a security threat" (Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
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allow for security systems to enable early detection of threats to a computing device or 
network before an hamri can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 19, Mcichionc and Norton do not explicitly teach a method 
comprising: 

A) presenting an alert to a user for approval before the predetermined file system 
operation is performed by the program. 

Satterlee, however, teaches "presenting an alert to a user for approval 
before the predeternfiined file system operation is performed by the program" as 
"in step 605 the protector application 1 15 will consult the database 1 10 to determine if 
the user has been previously queried about the new non-validated executable file... If 
the user has previously approved the loading of this executable file in step 610, or if the 
user approves the new executable in this instance in step 615, then execution of the 
executable file will proceed" (Paragraph 45). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 
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Regarding claim 20, Mclchionc and Norton do not explicitly teach a method 
comprising: 

A) requiring approval before performing any predetermined file system operations 
associated the program in response to the program not being on a safe list. 

Satterlee, however, teaches "requiring approval before performing any 
predetermined file system operations associated the program in response to the 
program not being on a safe list" as "in step 605 the protector application 115 will 
consult the database 1 10 to determine if the user has been previously queried about the 
new non-validated executable file... If the user has previously approved the loading of 
this executable file in step 610, or if the user approves the new executable in this 
instance in step 615, then execution of the executable file will proceed" (Paragraph 45). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satteriee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real . 
time, as noted by Satteriee (Paragraph 11).. 

Regarding claim 22, Mclchionc and Norton do not explicitly teach a system 
comprising: 
A) a safe list; and 
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B) wherein the file system program is adapted to monitor the other program in 
response to the other program not being on the safe list. 

Satterlee, however, teaches "a safe list" as "predetermined list of approved 
programs" (Paragraph 13) and "wherein the file system program is adapted to 
monitor the other program in response to the other program not being on the safe 
list" as "the present invention comprises a method for determining whether a program 
is approved to execute by comparing it to a predetermined list of approved programs,.. If 
the new program is not validated, the program can continue to load and execute, but 
other security modules are responsible for detecting, monitoring, and responding to 
suspicious activities" (Paragraph 13). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 26, Mclchionc and Norton do not explicitly teach a system 
comprising: 

A) means to send an alert in response to flagging the other program. 

Satterlee. however, teaches "means to send an alert in response to flagging 
the other program" as "the behavior monitors 128 can take direct action to address a 
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security threat or instruct the protector application 1 15 to query the user for instructions 
on how to handle the threat" (Paragraph 35) and "predetermined responses to particular 
threats and decision rules as to when the user should be queried about a security 
threat" (Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 29, Mclchionc and Norton do not explicitly teach a system 
comprising: 

A) means to present an alert to a user; and 

B) means for the user to approve the one of the predetermined file system operations 
before being performed by the other program. 

Satterlee, however, teaches "means to present an alert to a user" as "the 
behavior monitors 128 can take direct action to address a security threat or instruct the 
protector application 1 15 to query the user for instructions on how to handle the threat" 
(Paragraph 35) and "predetermined responses to particular threats and decision rules 
as to when the user should be queried about a security threat" (Paragraph 39), and 
"means for the user to approve the one of the predetermined file system 
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operations before being performed by the other program" as "in step 605 the 
protector application 1 15 will consult the database 1 10 to determine if the user has been 
previously queried about the new non-validated executable file... If the user has 
previously approved the loading of this executable file in step 610, or if the user 
approves the new executable in this instahce in step 615, then execution of the 
executable file will proceed" (Paragraph 45). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 31 , Mclchionc and Norton do not explicitly teach a system 
comprising: 

A) providing a safe list; and 

B) adapting the file system protection program to monitor the other program in 
response to the other program not being on the safe list. 

Satterlee, however, teaches "providing a safe list" as "predetermined list of 
approved programs" (Paragraph 13) and "adapting the file system protection 
program to monitor the other program in response to the other program not being 
on the safe list" as "the present invention comprises a method for determining whether 
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a program is approved to execute by comparing it to a predetermined list of approved 
programs... If the new program is not validated, the program can continue to load and 
execute, but other security modules are responsible for detecting, monitoring, and 
responding to suspicious activities" (Paragraph 13). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 35, Mclchionc and Norton do not explicitly teach a method 

i 

comprising: 

A) providing means to send an alert in response to flagging the other program. 

Satterlee, however, teaches "providing means to send an alert in response 
to flagging the other program" as "the behavior monitors 128 can take direct action to 
address a security threat or instruct the protector application 1 15 to query the user for 
instructions on how to handle the threat" (Paragraph 35) and "predetermined responses 
to particular threats and decision rules as to when the user should be queried about a 
security threat" (Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
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Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 37, Mclchionc and Norton do not explicitly teach a method 
comprising: 

A) providing means to present an alert to a user; and 

B) providing means for the user to approve the one of the predetermined file system 
operations before being performed by the other program. 

Satterlee, however, teaches "providing means to present an alert to a user" 
as "the behavior monitors 128 can take direct action to address a security threat or 
instruct the protector application 1 15 to query the user for instructions on how to handle 
the threat" (Paragraph 35) and "predetermined responses to particular threats and 
decision rules as to when the user should be queried about a security threat" 
(Paragraph 39), and "providing means for the user to approve the one of the 
predetermined file system operations before being performed by the other 
program" as "in step 605 the protector application 1 15 will consult the database 1 10 to 
determine if the user has been previously queried about the new non-validated 
executable file... If the user has previously approved the loading of this executable file in 
step 610, or if the user approves the new executable in this instance in step 615, then 
execution of the executable file will proceed" (Paragraph 45), 
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It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 

Regarding claim 39, Mcichionc and Norton do not explicitly teach a computer- 
readable medium comprising: 

A) selecting the program for monitoring in response to the program not being on a safe 
list. 

Satterlee, however, teaches "selecting the program for monitoring in 
response to the program not being on a safe list" as "the present invention 
comprises a method for determining whether a program is approved to execute by 
comparing it to a predetermined list of approved programs... If the new program is not 
validated, the program can continue to load and execute, but other security modules are 
responsible for detecting, monitoring, and responding to suspicious activities" 
(Paragraph 13). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
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network before an harm can be done by quickly and efficiently examining code In real 
time, as noted by Satterlee (Paragraph 11). 

• ■ 

Regarding claim 44, Mcichionc and Norton do not explicitly teach a computer- 
readable medium comprising: 

A) sending an alert in response to the program attempting to perform any 
predetermined file system operations sending an alert in response to the program 
attempting to perform any predetermined file system operations. 

Satterlee, however, teaches "sending an alert in response to the program 
attempting to perform any predetermined file system operations" as "the behavior 
monitors 128 can take direct action to address a security threat or instruct the protector 
application 115 to query the user for instructions on how to handle the threat" 
(Paragraph 35) and "predetermined responses to particular threats and decision rules 
as to when the user should be queried about a security threat" (Paragraph 39). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Satterlee's would have allowed Mclchionc's and Norton's to provide a method to 
allow for security systems to enable early detection of threats to a computing device or 
network before an harm can be done by quickly and efficiently examining code in real 
time, as noted by Satterlee (Paragraph 11). 
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15. Claim 18 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mclchionc (U.S. Patent 6,973,578) as applied to claim 1 and in view of Norton (Article 
entitled "Norton Antivirus Corporate Edition User's Guide, dated 09/1 1/2001) as applied 
to claims 2, 6, 8-9, 13-16, 21, 23-25, 28, 30, 32-34, 38, and 40-43 and further in view of 
Satterlee etal. (U.S. PGPUB 2004/0025015) as applied to claims 10-12, 17, 19-20, 22, 
26, 29, 31 , 35, 37, 39, and 44 and further in view of Wolff et al. (U.S. PGPUB 
2002/0174358). 

16. Regarding claim 18, Mclchionc, Norton, and Satterlee do not explicitly teach a 
method comprising: 

A) sending the alert to a network monitoring system. 

Wolff, however, teaches "sending the alert to a networit monitoring system" 
as "An event report, such as a virus detection event, is sent from a reporting computer 2 
to a receiving computer 6 via an internet link 4" (Abstract). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Wolffs would have allowed Mclchionc's. Norton's, and Satterlee's to provide a 
method to allow major antivirus software providers to accurately determine what viruses 
are common and attacking how many users in order to direct resources to combat these 
viruses, as noted by Wolff (Paragraph 4). 
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17. Claims 27 and 36 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Mclchionc (U.S. Patent 6,973,578) as applied to claim 1 and in view of Norton 
(Article entitled "Norton Antivirus Corporate Edition User's Guide, dated 09/11/2001) as 
applied to claims 2, 6. 8-9, 13-16. 21, 23-25, 28, 30, 32-34. 38, and 40-43 and further in 
view of Wolff et al. (U.S. PGPUB 2002/0174358). 

18. Regarding claim 27, Mclchionc and Norton, do not explicitly teach a system 
comprising: 

A) a network monitoring system; and 

B) means to send an alert to the network monitoring system in response to flagging the 
other program. 

Wolff, however, teaches "a network monitoring system" as "a receiving 
computer 6" (Abstract) and "means to send an alert to the network monitoring 
system in response to flagging the other program" as "An event report, such as a 
virus detection event, is sent from a reporting computer 2 to a receiving computer 6 via 
an internet link 4" (Abstract). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Woifrs would have allowed Mclchionc's and Norton's to provide a method to allow 
major antivirus software providers to accurately determine what viruses are common 
and attacking how many users in order to direct resources to combat these viruses, as 
noted by Wolff (Paragraph 4). 
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Regarding claim 36, Mclchionc and Norton, do not explicitly teach a method 
comprising; 

A) providing a network monitoring system; and 

B) providing means to send an alert to the network monitoring system in response to 
flagging the other program. 

Wolff, however, teaches "providing a network monitoring system" as "a 
receiving computer 6" (Abstract) and ''providing means to send an alert to the 
network monitoring system in response to flagging the other program" as "An 
event report, such as a virus detection event, is sent from a reporting computer 2 to a 
receiving computer 6 via an internet link 4" (Abstract). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the teachings of the cited references because teaching 
Wolffs would have allowed Mclchionc's and Norton's to provide a method to allow 
major antivirus software providers to accurately determine what viruses are common 
and attacking how many users in order to direct resources to combat these viruses, as 
noted by Wolff (Paragraph 4). 

Conclusion 

1 9. The prior art made of record and not relied upon is considered pertinent to 

applicant's disclosure. 
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U.S. Patent 6,886,099 issued to Smithson et ai. on 26 April 2005. The subject 
matter disclosed therein is pertinent to that of claims 1-44 (e.g., methods to provide 

4 

virus protection on computers). 

U.S. Patent 6,735,700 issued to Flint et al. on 1 1 May 2004. The subject matter 
disclosed therein is pertinent to that of claims 1-44 (e.g., methods to provide virus 
protection on computers). 

U.S. PGPUB 2002/01 16639issued to Chefalas et al. on 22 August 2002. The 
subject matter disclosed therein is pertinent to that of claims 1-44 (e.g., methods to 
provide virus protection on computers). 

Contact Information 

20. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Mahesh Dwivedi whose telephone number is (571) 272- 
2731 . The examiner can normally be reached on Monday to Friday 8:20 am - 4:40 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tim Vo can be reached (571) 272-3642. The fax number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see httD://Dair-direct.uspto.qov . Should 



Application/Control Number: 10/710.477 Page 49 

Art Unit: 2168 

you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Mahesh Dwivedi 
Patent Examiner 
Art Unit 2168 

August 04, 2006 




Leslie Wong 
Primary Examiner 



